vjw0rm | 7ef5dc83e3a2f53a078a034d6edb8b07684efe844af306b60e65509d61a01b46

Analysis

max time kernel
148s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
11-10-2023 12:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Purchaseorder.js
Size

3.1MB
MD5

cd12101e3da7cfc1e15be51324d97f26
SHA1

3ef05de60568b30104e18a72b783c8e21fb83c01
SHA256

7ef5dc83e3a2f53a078a034d6edb8b07684efe844af306b60e65509d61a01b46
SHA512

fb26613b48898ebaa72f6e2188b7bda90aedd7e1d6ee6190d7fb6c53cbfd504910160ee3b902bbb3c3cb470ef710409f4bb6d742e2085cc154788b535c6b1ae1
SSDEEP

768:qQKDwkB5j+Dd3MLyi/vdvK8cuUzwJBO0enr8uYUlN8b6iLBJbr59RlwDh:x8wkDaDd3gyiVAz10+ouFkPr52d

Score

10^/10

vjw0rm persistence trojan worm

Malware Config

Signatures

Vjw0rm
Vjw0rm is a remote access trojan written in JavaScript.
trojan worm vjw0rm

Blocklisted process makes network request 51 IoCs

flow	pid	Process
14	1704	wscript.exe
17	2760	wscript.exe
18	2100	wscript.exe
22	2760	wscript.exe
23	1704	wscript.exe
28	2100	wscript.exe
38	2760	wscript.exe
39	1704	wscript.exe
40	2100	wscript.exe
54	2760	wscript.exe
65	1704	wscript.exe
67	2100	wscript.exe
81	2760	wscript.exe
87	1704	wscript.exe
88	2100	wscript.exe
110	2760	wscript.exe
115	1704	wscript.exe
116	2100	wscript.exe
119	2760	wscript.exe
122	1704	wscript.exe
123	2760	wscript.exe
124	2100	wscript.exe
129	2760	wscript.exe
130	1704	wscript.exe
131	2100	wscript.exe
147	2760	wscript.exe
156	1704	wscript.exe
159	2100	wscript.exe
175	2760	wscript.exe
177	1704	wscript.exe
178	2100	wscript.exe
179	2760	wscript.exe
180	1704	wscript.exe
181	2100	wscript.exe
182	2760	wscript.exe
183	2760	wscript.exe
184	1704	wscript.exe
185	2100	wscript.exe
186	2760	wscript.exe
187	1704	wscript.exe
188	2100	wscript.exe
193	2760	wscript.exe
200	1704	wscript.exe
201	2100	wscript.exe
202	2760	wscript.exe
203	1704	wscript.exe
204	2100	wscript.exe
205	2760	wscript.exe
210	2760	wscript.exe
211	1704	wscript.exe
212	2100	wscript.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000\Control Panel\International\Geo\Nation	wscript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000\Control Panel\International\Geo\Nation	wscript.exe

Drops startup file 5 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Purchaseorder.js	wscript.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\AkrDdIbORR.js	wscript.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\AkrDdIbORR.js	wscript.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Purchaseorder.js	wscript.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\AkrDdIbORR.js	wscript.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Purchaseorder = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\Purchaseorder.js\""	wscript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Purchaseorder = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\Purchaseorder.js\""	wscript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Purchaseorder = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\Purchaseorder.js\""	wscript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Purchaseorder = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\Purchaseorder.js\""	wscript.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeManageVolumePrivilege	4960	svchost.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4524 wrote to memory of 1704	4524	wscript.exe	86
PID 4524 wrote to memory of 1704	4524	wscript.exe	86
PID 4524 wrote to memory of 2760	4524	wscript.exe	87
PID 4524 wrote to memory of 2760	4524	wscript.exe	87
PID 2760 wrote to memory of 2100	2760	wscript.exe	89
PID 2760 wrote to memory of 2100	2760	wscript.exe	89

C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\Purchaseorder.js
1⤵
- Checks computer location settings
- Drops startup file
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4524
- C:\Windows\System32\wscript.exe
  "C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\AkrDdIbORR.js"
  2⤵
  - Blocklisted process makes network request
  - Drops startup file
  PID:1704
- C:\Windows\System32\wscript.exe
  "C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\Purchaseorder.js"
  2⤵
  - Blocklisted process makes network request
  - Checks computer location settings
  - Drops startup file
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:2760
- - C:\Windows\System32\wscript.exe
    "C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\AkrDdIbORR.js"
    3⤵
    - Blocklisted process makes network request
    - Drops startup file
    PID:2100

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Windows\SYSTEM32\EDGEHTML.dll",#141 Microsoft.VCLibs.140.00_8wekyb3d8bbwe
1⤵
PID:4892

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k UnistackSvcGroup
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4960

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\AkrDdIbORR.js

Filesize
1.1MB

MD5
397495356e508277e1aa6e2f24cf43b4

SHA1
eac5ebb135efcf24988cfdf0c42e031630b701a4

SHA256
51e48daa54231a3f5b056882c66fad891cb81d2603a0845e0b44668d4533a3c3

SHA512
953f63373cc8d0c7122def46fa9a97124123b6cac95bcfdf2d783b2be91139a43c51f1936d1197de26b461768bc94fa69911851ff012a8d0f7a5d637b6461fa4

Download Submit
C:\Users\Admin\AppData\Roaming\AkrDdIbORR.js

Filesize
1.1MB

MD5
397495356e508277e1aa6e2f24cf43b4

SHA1
eac5ebb135efcf24988cfdf0c42e031630b701a4

SHA256
51e48daa54231a3f5b056882c66fad891cb81d2603a0845e0b44668d4533a3c3

SHA512
953f63373cc8d0c7122def46fa9a97124123b6cac95bcfdf2d783b2be91139a43c51f1936d1197de26b461768bc94fa69911851ff012a8d0f7a5d637b6461fa4

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\AkrDdIbORR.js

Filesize
1.1MB

MD5
397495356e508277e1aa6e2f24cf43b4

SHA1
eac5ebb135efcf24988cfdf0c42e031630b701a4

SHA256
51e48daa54231a3f5b056882c66fad891cb81d2603a0845e0b44668d4533a3c3

SHA512
953f63373cc8d0c7122def46fa9a97124123b6cac95bcfdf2d783b2be91139a43c51f1936d1197de26b461768bc94fa69911851ff012a8d0f7a5d637b6461fa4

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Purchaseorder.js

Filesize
3.1MB

MD5
cd12101e3da7cfc1e15be51324d97f26

SHA1
3ef05de60568b30104e18a72b783c8e21fb83c01

SHA256
7ef5dc83e3a2f53a078a034d6edb8b07684efe844af306b60e65509d61a01b46

SHA512
fb26613b48898ebaa72f6e2188b7bda90aedd7e1d6ee6190d7fb6c53cbfd504910160ee3b902bbb3c3cb470ef710409f4bb6d742e2085cc154788b535c6b1ae1

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Purchaseorder.js

Filesize
3.1MB

MD5
cd12101e3da7cfc1e15be51324d97f26

SHA1
3ef05de60568b30104e18a72b783c8e21fb83c01

SHA256
7ef5dc83e3a2f53a078a034d6edb8b07684efe844af306b60e65509d61a01b46

SHA512
fb26613b48898ebaa72f6e2188b7bda90aedd7e1d6ee6190d7fb6c53cbfd504910160ee3b902bbb3c3cb470ef710409f4bb6d742e2085cc154788b535c6b1ae1

Download Submit
C:\Users\Admin\AppData\Roaming\Purchaseorder.js

Filesize
3.1MB

MD5
cd12101e3da7cfc1e15be51324d97f26

SHA1
3ef05de60568b30104e18a72b783c8e21fb83c01

SHA256
7ef5dc83e3a2f53a078a034d6edb8b07684efe844af306b60e65509d61a01b46

SHA512
fb26613b48898ebaa72f6e2188b7bda90aedd7e1d6ee6190d7fb6c53cbfd504910160ee3b902bbb3c3cb470ef710409f4bb6d742e2085cc154788b535c6b1ae1

Download Submit
memory/4960-29-0x000001B861D40000-0x000001B861D50000-memory.dmp

Filesize
64KB

Download
memory/4960-45-0x000001B861E40000-0x000001B861E50000-memory.dmp

Filesize
64KB

Download
memory/4960-61-0x000001B86A130000-0x000001B86A131000-memory.dmp

Filesize
4KB

Download
memory/4960-63-0x000001B86A160000-0x000001B86A161000-memory.dmp

Filesize
4KB

Download
memory/4960-64-0x000001B86A160000-0x000001B86A161000-memory.dmp

Filesize
4KB

Download
memory/4960-65-0x000001B86A270000-0x000001B86A271000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads